Mailiserver
Toores. Ehk seda pala võib täiendada.
Sisukord
Mailserver
Sissejuhatus
Vastukaaluks ühele naljakale artiklile äripäevas ( http://209.85.135.104/search?q=cache:HtdTW-LZ1_IJ:www.aripaev.ee/3693/rubr_artiklid_369301.html&hl=et&strip=1 ) kirjutaks Postfixist.
Jupike tollest artiklist:
"Exchange 2000 on teatavasti mahupiirangutega. 16 gigabaiti kõikide kasutajate e-posti jaoks, arvestades büroo kasvu, on liiga vähe. Olen täheldanud ka seda, et kirjavahetuse maht kasvab pidevalt," selgitas Linros peamist ülemineku põhjust. Töötajaid on firmas koos notaritega 50, kõik kasutavad Microsofti Exchange'i ja selle klientprogrammi Outlook. Exchange 2007 mahupiirang on palju kordi suurem ja Linrosi arvates ei ole sellega mingit muret ette näha üsna pikaks ajaks. ... Notaribüroo lahenduse teostamisel kasutati Delli server-riistvara, kogumaksumuseks kujunes 250 000 krooni. DELL PowerEdge 2950 Serveri võimsuse näitajad protsessor: Dual Core IntelV XeonV 5120, 4 MB vahemälu, 1.86 GHz, 1066 MHz FSB mälu: 8 GB FB 667 MHz FBD muu: kõvakettad dubleeritud toide kaughalduskaart Miks valiti just selline riistvara? 50 kasutaja puhul peab olema Exchange serveris igal juhul 8 GB mälu. Riistvara ja Windowsi server peavad olema 64bitised. Kaughalduskaart sai lisatud selleks, et serveri kaughaldust oleks võimalik turvaliselt läbi VPNi teostada väljastpoolt. Vertase Back-up varundustarkvara sai uuendatud - vanem versioon Exchange 2007t ei toetanud. Microsofti tarkvara MS Windows Server Std 2003 R2a 64bit ENG - 2 tk MS Exchange Server 2007 English OLP NL - 1 tk Windows Med Biz Infra CAL English OLP NL Promo User CAL. (Sisaldab nii Windowsi kui ka Exchange serveri CALe, Microsofti Promo kehtis kuni 29.06.07) - 50 tk
Tarkvara valik
* OS'na läheb kasutusse [[1]] * Maili võtab vastu [[2]] * Postfixis teeb greylisti [[3]] * Spami & Viirusi kontrollib amavis koos [[4]] & [[5]] abiga. * Kasutajatele serveerib maili [[6]] * Kasutajate andmeid hoiab [[7]] * Veebist saavad kasutajad oma maili lugeda läbi [[8]] ja kontosi hallata läbi [[9]] * Mailingliste haldab [[10]]
Installeerimine
FreeBSD paigaldust ma siinkohal kirjeldama ei hakka ning eeldan, et portsid on paigas & hilja aegu uudendatud.
Postfix
Esmalt tuleks paigaldata Postfix 'i server, mis maili vastu võtaks - ilma selleta ei ole pikemas perspektiivis mailiserveril erilist mõtet.
cd /usr/ports/mail/postfix make install clean
Installeerimise ajal valitud optionid ( mida saab copy-pasteda sinna samasse faili ):
cat /var/db/ports/postfix/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for postfix-2.4.5,1 _OPTIONS_READ=postfix-2.4.5,1 WITH_PCRE=true WITH_SASL2=true WITHOUT_DOVECOT=true WITHOUT_SASLKRB=true WITHOUT_SASLKRB5=true WITHOUT_SASLKMIT=true WITH_TLS=true WITHOUT_BDB=true WITHOUT_MYSQL=true WITH_PGSQL=true WITHOUT_OPENLDAP=true WITH_CDB=true WITHOUT_NIS=true WITH_VDA=true WITHOUT_TEST=true
Oluline on siin see, et tagatud oleks SASL2,TLS,PGSQL ja VDA tugi.
* SASL2 läbi saab teostada SMTP-AUTH'i, millekäigus kontrollitakse saatja logib ennem kirja saatmist sisse - vältimaks suvaliste spämmerite omavolilist kasutamist. * TLS on krüpteerimis protkoll, mis kaitseb kasutaja andmeid SMTP-AUTH protokolliga sisselogimisel. * PGSQL on PostgreSQL serveri tugi, leidmaks domeene ja nende alla kuuluvaid kasutajaid kellele sissetulev mail läheb. * VDA Toimetab mailid ilusti kohale.
Cyrus-SASL
Kui cyrus-sasl2 porti veel peal ei ole, siis paigaldatakse see postfixi installeerimise käigus.
Optionid:
cat /var/db/ports/cyrus-sasl2/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for cyrus-sasl-2.1.22 _OPTIONS_READ=cyrus-sasl-2.1.22 WITH_BDB=true WITHOUT_MYSQL=true WITHOUT_PGSQL=true WITHOUT_SQLITE=true WITH_DEV_URANDOM=true WITHOUT_ALWAYSTRUE=true WITH_KEEP_DB_OPEN=true WITH_AUTHDAEMOND=true WITH_LOGIN=true WITH_PLAIN=true WITH_CRAM=true WITH_DIGEST=true WITH_OTP=true WITH_NTLM=true
Valida tuleks kindlasti AUTHDAEMOND ja sobivad login meetodid SMTP-AUTH/IMAP tarbeks, nagu LOGIN,PLAIN,CRAM..
Et postfix pääseks andmebaasis hoitavatele kasutajatele ligi on vaja ka courier-authlib'i, läbi mille kontrollitakse kasutajate olemasolu SMTP-AUTH protokollis, mis omakorda kasutab cyrus-sasl2'te, mis kasutab selleks courier-authlib'i ..oeh ;-)
courier-authlib
cd /usr/ports/security/courier-authlib make install clean
Optionid:
# This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for courier-authlib-0.59.3 _OPTIONS_READ=courier-authlib-0.59.3 WITHOUT_GDBM=true WITHOUT_AUTH_LDAP=true WITHOUT_AUTH_MYSQL=true WITH_AUTH_PGSQL=true WITHOUT_AUTH_USERDB=true WITHOUT_AUTH_VCHKPW=true
postfix-gps
cd /usr/ports/mail/postfix-gps make install clean
amavis
cd /usr/ports/security/amavisd-new make install clean
Optionid:
cat /var/db/ports/amavisd-new/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for amavisd-new-2.5.4,1 _OPTIONS_READ=amavisd-new-2.5.4,1 WITH_BDB=true WITHOUT_SQLITE=true WITHOUT_MYSQL=true WITH_PGSQL=true WITHOUT_LDAP=true WITH_SASL=true WITHOUT_MILTER=true WITH_SPAMASSASSIN=true WITHOUT_P0F=true WITH_ALTERMIME=true WITH_FILE=true WITH_RAR=true WITH_UNRAR=true WITH_ARJ=true WITHOUT_UNARJ=true WITH_LHA=true WITH_ARC=true WITHOUT_NOMARCH=true WITH_CAB=true WITH_RPM=true WITH_ZOO=true WITHOUT_UNZOO=true WITH_LZOP=true WITH_FREEZE=true WITH_P7ZIP=true WITHOUT_TNEF=true
Amavise installeerimise käigus paigaldatakse ka SpamAsassin:
Optionid:
cat /var/db/ports/p5-Mail-SpamAssassin/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for p5-Mail-SpamAssassin-3.2.4_2 _OPTIONS_READ=p5-Mail-SpamAssassin-3.2.4_2 WITHOUT_AS_ROOT=true WITHOUT_SPAMC=true WITH_SACOMPILE=true WITHOUT_DKIM=true WITH_SSL=true WITH_GNUPG=true WITHOUT_MYSQL=true WITH_PGSQL=true WITH_RAZOR=true WITH_SPF_QUERY=true WITH_RELAY_COUNTRY=true
ClamAV
cd /usr/ports/security/clamav make install clean
Optionid:
cat /var/db/ports/clamav/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for clamav-0.92.1_1 _OPTIONS_READ=clamav-0.92.1_1 WITH_ARC=true WITH_ARJ=true WITH_LHA=true WITH_UNZOO=true WITH_UNRAR=true WITHOUT_MILTER=true WITHOUT_LDAP=true WITHOUT_ICONV=true WITHOUT_STDERR=true WITH_EXPERIMENTAL=true
Courier-IMAP
Kui mail on vastu võetud, siis oleks ju tore ka sellele kuidagi ligi pääseda mõne meili kliendiga. Courier-IMAP pakub seda võimalust nii läbi POP3 kui ka IMAP protokollide, lugedes andmeid Maildir formaadis kataloogidest.
cd /usr/ports/mail/courier-imap make install clean
Optionid:
cat /var/db/ports/courier-imap/option # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for courier-imap-4.1.3,1 _OPTIONS_READ=courier-imap-4.1.3,1 WITH_OPENSSL=true WITHOUT_FAM=true WITHOUT_DRAC=true WITH_TRASHQUOTA=true WITHOUT_GDBM=true WITH_IPV6=true WITHOUT_AUTH_LDAP=true WITHOUT_AUTH_MYSQL=true WITH_AUTH_PGSQL=true WITHOUT_AUTH_USERDB=true WITHOUT_AUTH_VCHKPW=true
PostgreSQL
Kasutajate andmeid on andmebaasis tore hoida sellepärast, et see on veel üks tükike selles maili puzzles mis lubab tulevikus mugavamalt skaleeruda.
cd /usr/ports/database/postgresql83 make install clean
Optionid:
cat /var/db/ports/postgresql83/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for postgresql-server-8.3.1 _OPTIONS_READ=postgresql-server-8.3.1 WITH_NLS=true WITHOUT_PAM=true WITHOUT_LDAP=true WITHOUT_MIT_KRB5=true WITHOUT_HEIMDAL_KRB5=true WITH_OPTIMIZED_CFLAGS=true WITH_XML=true WITH_TZDATA=true WITHOUT_DEBUG=true WITHOUT_ICU=true WITH_INTDATE=true
Mailman
Vähegi suurema asutuse/organisatsiooni korral tekib ka vajadus maililistide järgi, kus saaks mugavalt infot levitada. Selleks on täitsa sobilik kasutada Mailmani.
cd /usr/ports/mail/mailman make install clean
Optionid:
cat /var/db/ports/mailman/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for mailman-with-htdig-2.1.9_5 _OPTIONS_READ=mailman-with-htdig-2.1.9_5 WITHOUT_SENDMAIL=true WITHOUT_EXIM3=true WITHOUT_EXIM4=true WITH_POSTFIX=true WITHOUT_COURIER=true WITHOUT_CHINESE=true WITHOUT_SLOVAK=true WITH_HTDIG=true
Veeb
Lisaks sellele, et kasutaja pääseb oma mailile ligi läbi tema isiklikus arvutis olema maili kliendi ( Windowsi peal soovitaks The Bat! 'i ja *NIX peal Evolutioni ) on vajalik siiski ka veebist ligi pääseda - näiteks reisides ja kohvikutes viibides.
Jätan siinkohal ära apache/php paigaldamise õpetuse, kuna natukene pealehakkamist oleks lisaks eelnevalt tehtud copy-pastele hädasti vaja :-) Vajalik tarkvara on juba üleval pool kirjeldatud, portsides olemas ning tuleb koos täiesti ammendava dokumenatsiooniga.
NB! Postfixadminile tuleb paigaldada üks lisa patch: http://troels.arvin.dk/db/postfixadmin/
Seadistamine
Nüüdseks peaks hulka tarkvara juba peal olema, ning oleks vaja see ka töökorda seada. Teeme seda samas järjekorras.
Postfix
Vajalikud failid asuvad /usr/local/etc/postfix all.. seega:
cd /usr/local/etc/postfix
Kõige olulisem on siin main.cf, mis kontrollib smtpd & sõprade käitumist:
/usr/local/etc/postfix/main.cf:
queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix mail_owner = postfix myhostname = mail.domeen.ee local_recipient_maps = $virtual_mailbox_maps unknown_local_recipient_reject_code = 550 mynetworks_style = host relay_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/relay_domains.cf, list.domeen.ee virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_alias_maps.cf virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_domains_maps.cf virtual_mailbox_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_mailbox_maps.cf virtual_mailbox_limit_maps = pgsql:/usr/local/etc/postfix/pgsql/virtual_mailbox_limits.cf virtual_maildir_extended = yes virtual_create_maildirsize = yes virtual_mailbox_limit_inbox = yes virtual_mailbox_limit_override = yes virtual_mailbox_base = /var/maildata virtual_mailbox_limit = 51200000 virtual_minimum_uid = 465 virtual_transport = virtual virtual_uid_maps = static:465 virtual_gid_maps = static:465 local_transport = virtual transport_maps = hash:/usr/local/etc/postfix/transport mailman_destination_recipient_limit = 1 alias_maps = hash:/usr/local/mailman/data/aliases smtpd_banner = MAIL - ESMTP $mail_name debug_peer_level = 1 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/bin/newaliases mailq_path = /usr/local/bin/mailq setgid_group = maildrop html_directory = no manpage_directory = /usr/local/man sample_directory = /usr/local/etc/postfix readme_directory = no # anti-spam content_filter=amavis:[127.0.0.1]:65024 disable_vrfy_command = yes maximal_queue_lifetime = 7d smtp_helo_timeout = 30s smtp_mail_timeout = 60s smtp_rcpt_timeout = 60s smtpd_client_connection_count_limit = 100 smtpd_client_connection_rate_limit = 3000 smtpd_client_message_rate_limit = 1000 smtpd_client_recipient_rate_limit = 120 smtpd_client_restrictions = permit_inet_interfaces, reject_unknown_client_hostname, sleep 3, reject_rbl_client sbl-xbl.spamhaus.org smtpd_error_sleep_time = 3 smtpd_helo_required = yes smtpd_helo_restrictions = warn_if_reject reject_invalid_helo_hostname, sleep 3, warn_if_reject reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, sleep 5, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_recipient_domain smtpd_sender_restrictions = check_policy_service unix:private/policy strict_rfc821_envelopes = yes strict_7bit_headers = YES smtpd_delay_reject = yes # smtp-auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /usr/local/etc/postfix/server.pem smtpd_tls_cert_file = /usr/local/etc/postfix/server.pem smtpd_tls_CAfile = /usr/local/etc/postfix/server.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom data_directory = /var/db/postfix
/usr/local/etc/postfix/master.cf 'i l6pus:
mailman unix - n n - - pipe flags=FR user=mailman argv=/usr/local/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} policy unix - n n - - spawn user=nobody argv=/usr/local/libexec/gps /usr/local/etc/gps.conf amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:65025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=10.0.0.1,127.0.0.1 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients= proxywrite unix - - n - 1 proxymap
Ja veel /usr/local/etc/postfix/transport failis:
list.domeen.ee mailman:
See file tuleb postmap'ga pärast üle käia, niiviisi:
postmap /usr/local/etc/postfix/transport
Ei ole plaaniski kirjeldama hakata mida kõik need optionid tähendavad, kuna postfixi enda dokumentatsioon on selleks piisav.
Olulisemad seaded:
local_recipient_maps = $virtual_mailbox_maps relay_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/relay_domains.cf, list.domeen.ee virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_alias_maps.cf virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_domains_maps.cf virtual_mailbox_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_mailbox_maps.cf virtual_mailbox_base = /var/maildata virtual_mailbox_limit = 51200000 virtual_minimum_uid = 465 virtual_transport = virtual virtual_uid_maps = static:465 virtual_gid_maps = static:465 local_transport = virtual
Ilma nende seadeteta ei tea postfix midagi andmebaasis olevatest kasutajatest ega kuidas mail nendeni jõudma peaks.
local_recipient_maps seatakse samaks mis virtual_mailbox_maps
relay_domains on SQL p2ring domeenidele, millele osutatakse MX backup teenust. Lisaks veel list.domeen.ee - ehk's listiserver.
virtual_alias_maps on SQL p2ring maili aliastele, millele v6ib maili vastu v6tta
virtual_mailbox_domains .. p2ring domeenidele, millele v6ib maili vastu v6tta
virtual_mailbox_maps p2ring mailiboxidele ( kus asub, mis 6igused jne.. ) maili kohale toimetamiseks
virtual_mailbox_base FS path mille all mailboxid asuvad ( lisatakse virtual_mailbox_maps 'st saadud info ette )
virtual_uid_maps = static:465
... nii uid kui ka gid k6ikidel mailboxidel on 465
virtual_gid_maps = static:465
Viidatud failid ( asuvad /usr/local/etc/postfix/pgsql all - kataloog mida freebsd installis by default ei ole, so mkdir v6i vaheta optionites
pathi kui sa nad mujale paned ) mida postgresql'ga suhtlemisel SQL p2ringute tegemiseks kasutatakse:
cat pgsql/relay_domains.cf user = postfix password = pass hosts = localhost dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' and backupmx = true
cat pgsql/virtual_alias_maps.cf user = postfix password = pass hosts = localhost dbname = postfix query = SELECT goto FROM alias WHERE address='%s' AND active = true cat pgsql/virtual_domains_maps.cf user = postfix password = pass hosts = localhost dbname = postfix query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true
cat pgsql/virtual_mailbox_limits.cf user = postfix password = pass hosts = localhost dbname = postfix query = SELECT quota FROM mailbox WHERE username='%s'
cat pgsql/virtual_mailbox_maps.cf user = postfix password = pass hosts = localhost dbname = postfix query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true
Seejärel peaks tekitama kataloogi /var/maildata ja andma selle courier'i käsutusse
mkdir -p /var/maildata chown -R courier:courier /var/maildata
Seal all hakkab siis mail olema, nii nagu virtual_mailbox_base option seda ütleb.
Anti-Spam osa soovitaks esialgu välja jätta ning lisada alles pärast seda, kui oled tutvunud vastavate optionite sisuga postfixi dokumentatsioonist. Kui soovid seda aga kasutada, siis oleks sul veel vaja paigaldada postfix-gps-devel port koos postgresql toega.
SMTP-AUTH tarvis oleks vaja tekitada aga serverile sertifikaat TLS'i jaoks:
openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 3650
cyrus-sasl2
Et SMTP protokoll oskaks courier-authlib'ga rääkida, on vajalik vastav fail /usr/local/lib/sasl2 all
cat /usr/local/lib/sasl2/smtpd.conf pwcheck_method: authdaemond log_level: 3 mech_list: PLAIN LOGIN authdaemond_path: /var/run/authdaemond/socket
courier-authlib
See on see jupp, mis vahendab SMTP-AUTH/IMAP päringuid andmebaasile.
Confid asuvad /usr/local/etc/authlib
cat /usr/local/etc/authlib/authdaemonrc authmodulelist="authpgsql" authmodulelistorig="authuserdb authvchkpw authpam authldap authmysql authpgsql" daemons=3 authdaemonvar=/var/run/authdaemond subsystem=mail DEBUG_LOGIN=0 DEFAULTOPTIONS="wbnodsn=1" LOGGEROPTS=""
cat /usr/local/etc/authlib/authpgsqlrc PGSQL_PORT 5432 PGSQL_USERNAME postfix PGSQL_PASSWORD pass PGSQL_DATABASE postfix PGSQL_USER_TABLE mailbox PGSQL_CRYPT_PWFIELD password PGSQL_UID_FIELD '465' PGSQL_GID_FIELD '465' PGSQL_LOGIN_FIELD username PGSQL_HOME_FIELD '/var/maildata' PGSQL_NAME_FIELD name PGSQL_MAILDIR_FIELD maildir
Courier-IMAP
Selle confid asuvad /usr/local/etc/courier-imap all
cat /usr/local/etc/courier-imap/imapd ADDRESS=0 PORT=143 MAXDAEMONS=40 MAXPERIP=4 PIDFILE=/var/run/imapd.pid TCPDOPTS="-nodnslookup -noidentlookup" LOGGEROPTS="-name=imapd" IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE" IMAP_KEYWORDS=1 IMAP_ACL=1 IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM- SHA256 IDLE" IMAP_PROXY=0 IMAP_PROXY_FOREIGN=0 IMAP_IDLE_TIMEOUT=60 IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN" IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN" IMAP_DISABLETHREADSORT=0 IMAP_CHECK_ALL_FOLDERS=0 IMAP_OBSOLETE_CLIENT=0 IMAP_UMASK=022 IMAP_ULIMITD=65536 IMAP_USELOCKS=1 IMAP_SHAREDINDEXFILE=/usr/local/etc/courier-imap/shared/index IMAP_ENHANCEDIDLE=0 IMAP_TRASHFOLDERNAME=Trash IMAP_EMPTYTRASH=Trash:7 IMAP_MOVE_EXPUNGE_TO_TRASH=0 SENDMAIL=/usr/sbin/sendmail HEADERFROM=X-IMAP-Sender IMAPDSTART=NO MAILDIRPATH=Maildir cat /usr/local/etc/courier-imap/imapd-ssl SSLPORT=993 SSLADDRESS=0 SSLPIDFILE=/var/run/imapd-ssl.pid SSLLOGGEROPTS="-name=imapd-ssl" IMAPDSSLSTART=YES IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=0 COURIERTLS=/usr/local/bin/couriertls TLS_PROTOCOL=SSL3 TLS_STARTTLS_PROTOCOL=TLS1 TLS_CERTFILE=/usr/local/share/courier-imap/imapd.pem TLS_VERIFYPEER=NONE TLS_CACHEFILE=/usr/local/var/couriersslcache TLS_CACHESIZE=524288 MAILDIRPATH=Maildir
SSL'i sertifikaadi saad genereerida muutes kopeerides imapd.cnf-dist faili imapd.cnf'x, kohandades siis selle sisu ning seejärel käivitades mkimapdcert käsu.
cd /usr/local/etc/courier-imap cp imapd.cnf.dist imapd.cnf ee imapd.cnf mkimapdcert
POP3'e seadistamine on vägagi sarnane IMAP'le ning sellega saad kindlasti ka ise hakkama.
PostgreSQL
Esmalt on vaja luua uus kasutaja:
CREATE USER postfix WITH PASSWORD 'pass';
Ning seejärel mõned andmebaasid:
CREATE DATABASE postfix OWNER postfix; CREATE DATABASE postfix_gps OWNER postfix;
Esimeses asuvad domeenid ja kasutajad teises aga postgres-gps greylisti andmed.
Baasi postfix schema ( postfixadminile on paigaldatud postgresql'i jaoks patch @ http://troels.arvin.dk/db/postfixadmin/ ):
CREATE TABLE "admin" ( username character varying(255) NOT NULL, "password" character varying(255) DEFAULT ::character varying NOT NULL, created timestamp with time zone DEFAULT now(), modified timestamp with time zone DEFAULT now(), active boolean DEFAULT true NOT NULL ); COMMENT ON TABLE "admin" IS 'Postfix Admin - Virtual Admins'; CREATE TABLE alias ( address character varying(255) NOT NULL, goto text NOT NULL, "domain" character varying(255) NOT NULL, created timestamp with time zone DEFAULT now(), modified timestamp with time zone DEFAULT now(), active boolean DEFAULT true NOT NULL ); COMMENT ON TABLE alias IS 'Postfix Admin - Virtual Aliases'; CREATE TABLE "domain" ( "domain" character varying(255) NOT NULL, description character varying(255) DEFAULT ::character varying NOT NULL, aliases integer DEFAULT 0 NOT NULL, mailboxes integer DEFAULT 0 NOT NULL, maxquota integer DEFAULT 0 NOT NULL, transport character varying(255), backupmx boolean DEFAULT false NOT NULL, created timestamp with time zone DEFAULT now(), modified timestamp with time zone DEFAULT now(), active boolean DEFAULT true NOT NULL ); COMMENT ON TABLE "domain" IS 'Postfix Admin - Virtual Domains'; CREATE TABLE domain_admins ( username character varying(255) NOT NULL, "domain" character varying(255) NOT NULL, created timestamp with time zone DEFAULT now(), active boolean DEFAULT true NOT NULL ); COMMENT ON TABLE domain_admins IS 'Postfix Admin - Domain Admins'; CREATE TABLE log ( "timestamp" timestamp with time zone DEFAULT now(), username character varying(255) DEFAULT ::character varying NOT NULL, "domain" character varying(255) DEFAULT ::character varying NOT NULL, "action" character varying(255) DEFAULT ::character varying NOT NULL, data text DEFAULT ::text NOT NULL ); COMMENT ON TABLE log IS 'Postfix Admin - Log'; CREATE TABLE mailbox ( username character varying(255) NOT NULL, "password" character varying(255) DEFAULT ::character varying NOT NULL, name character varying(255) DEFAULT ::character varying NOT NULL, maildir character varying(255) DEFAULT ::character varying NOT NULL, quota integer DEFAULT 0 NOT NULL, "domain" character varying(255) NOT NULL, created timestamp with time zone DEFAULT now(), modified timestamp with time zone DEFAULT now(), active boolean DEFAULT true NOT NULL ); COMMENT ON TABLE mailbox IS 'Postfix Admin - Virtual Mailboxes'; CREATE TABLE vacation ( email character varying(255) NOT NULL, subject character varying(255) NOT NULL, body text NOT NULL, "domain" character varying(255) NOT NULL, created timestamp with time zone DEFAULT now(), active boolean DEFAULT true NOT NULL ); CREATE TABLE vacation_notification ( on_vacation character varying(255) NOT NULL, notified character varying(255) NOT NULL, notified_at timestamp with time zone DEFAULT now() NOT NULL ); ALTER TABLE ONLY "admin" ADD CONSTRAINT admin_key PRIMARY KEY (username); ALTER TABLE ONLY alias ADD CONSTRAINT alias_key PRIMARY KEY (address); ALTER TABLE ONLY "domain" ADD CONSTRAINT domain_key PRIMARY KEY ("domain"); ALTER TABLE ONLY mailbox ADD CONSTRAINT mailbox_key PRIMARY KEY (username); ALTER TABLE ONLY vacation_notification ADD CONSTRAINT vacation_notification_pkey PRIMARY KEY (on_vacation, notified); ALTER TABLE ONLY vacation ADD CONSTRAINT vacation_pkey PRIMARY KEY (email); CREATE INDEX alias_address_active ON alias USING btree (address, active); CREATE INDEX domain_domain_active ON "domain" USING btree ("domain", active); CREATE INDEX mailbox_username_active ON mailbox USING btree (username, active); CREATE INDEX vacation_email_active ON vacation USING btree (email, active); ALTER TABLE ONLY alias ADD CONSTRAINT alias_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain"); ALTER TABLE ONLY domain_admins ADD CONSTRAINT domain_admins_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain"); ALTER TABLE ONLY mailbox ADD CONSTRAINT mailbox_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain"); ALTER TABLE ONLY vacation ADD CONSTRAINT vacation_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain"); ALTER TABLE ONLY vacation_notification ADD CONSTRAINT vacation_notification_on_vacation_fkey FOREIGN KEY (on_vacation) REFERENCES vacation(email) ON DELETE CASCADE;
Baasi postfix_gps schema:
CREATE TABLE network ( address character varying(16) DEFAULT ::character varying NOT NULL, "comment" character varying(30) DEFAULT ::character varying ); CREATE TABLE pattern ( expression character varying(200) DEFAULT ::character varying NOT NULL, "comment" character varying(30) DEFAULT ::character varying ); CREATE TABLE recipient ( address character varying(200) DEFAULT ::character varying NOT NULL, "comment" character varying(30) DEFAULT ::character varying ); CREATE TABLE triplet ( client_address character varying(40), sender character varying(160) NOT NULL, recipient character varying(160) NOT NULL, ip64 numeric(4,0) DEFAULT 0 NOT NULL, ip32 numeric(4,0) DEFAULT 0 NOT NULL, ip16 numeric(4,0) DEFAULT 0 NOT NULL, ip8 numeric(4,0) DEFAULT 0 NOT NULL, count integer DEFAULT 0 NOT NULL, uts integer NOT NULL ); ALTER TABLE ONLY network ADD CONSTRAINT network_pkey PRIMARY KEY (address); ALTER TABLE ONLY pattern ADD CONSTRAINT pattern_pkey PRIMARY KEY (expression); ALTER TABLE ONLY recipient ADD CONSTRAINT recipient_pkey PRIMARY KEY (address); ALTER TABLE ONLY triplet ADD CONSTRAINT triplet_pkey PRIMARY KEY (recipient, sender, ip64, ip32, ip16, ip8);
Eeldan, et postgresql'i seadistusega tuled ise toime - dokumenatsioon on selleks täitsa piisav.
Spam & Viirused
Amavis
amavisd-new teostab nii spam'i kui ka viiruse kontrolli. Eelnevalt postfix'i confis sai ta seadistatud nõndaviisi:
content_filter=amavis:[127.0.0.1]:65024
/usr/local/etc/amavisd.conf 'i olulised read
$max_servers = 2; # num of pre-forked children (2..15 is common), -m $daemon_user = 'vscan'; # (no default; customary: vscan or amavis), -u $daemon_group = 'vscan'; # (no default; customary: vscan or amavis), -g $mydomain = 'domeen.ee'; # a convenient default for other settings $inet_socket_port = 65024; # listen on this local TCP port(s) $myhostname = 'mail.domeen.ee'; # must be a fully-qualified domain name! @av_scanners = ( ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], );
Siin on siis ära määratud, et amavisd-new kuulab pordil 65024 ja kasutajaks on vscan. Antiviiruse kontrolli teeb ta läbi ClamAV'i, millega ta suhtleb üle unix socketi.. /var/run/clamav/clamd.
ClamAV
/usr/local/etc/clamd.conf:
LogFile /var/log/clamav/clamd.log LogFileMaxSize 20M LogTime yes LogVerbose no PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/db/clamav LocalSocket /var/run/clamav/clamd FixStaleSocket yes MaxConnectionQueueLength 30 StreamMaxLength 50M MaxThreads 20 User vscan AllowSupplementaryGroups yes ExitOnOOM yes Debug yes LeaveTemporaryFiles no ScanMail yes
LocalSocket peab olema sama mis amavisd.conf 's, ehk siis /var/run/clamav/clamd Samuti peab ka kasutajaks olema määratud vscan, muidu ei saa amavisd clamd'ga suhelda kui tal socketisse kirjutamiseks õigusi pole.
/usr/local/etc/freshclamd.conf
DatabaseDirectory /var/db/clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose no PidFile /var/run/clamav/freshclam.pid DatabaseOwner vscan AllowSupplementaryGroups yes DatabaseMirror database.clamav.net ScriptedUpdates yes Checks 24 NotifyClamd /usr/local/etc/clamd.conf
Jällegi, user vscan.
Siinkohal tasuks ära märkida, et esialgu kuuluvad /var/db/clamav ja /var/log/clamav clamav userile.. seega tuleks need vscan userile chownida.
Postfix-GPS ehk Greylist
/usr/local/etc/gps.conf
dbtype=pgsql db_host=localhost db_username=postfix db_password=pass db_dbname=postfix_gps timeout=60 wl_pattern=dbcached wl_network=dbcached wl_recipient=db
Mailman
Kõik listid hakkavad asuma list.domeen.ee domeeni all ( mis peab ka DNS's reaalselt eksisteerima ). Kuna mailman kuulutab kõik failid oma kodukataloogis /usr/local/mailman mailman kasutajale kuuluvaks, siis tuleb postfix'i kasutaja ka mailman'i gruppi lisada - muidu ei hakka listi aliased kahjuks tööle.
pw groupmod mailman -m postfix
Seejärel tuleks chmod'da /usr/local/mailman/data all asuvad alias failid nii, et mailman'i grupp ( kuhu nüüd postfixi kasutaja kuulub.. ) neid kirjutada saaks.
chmod 660 /usr/local/mailman/data/aliases /usr/local/mailman/data/aliases.db
Mailman'i enda config võib välja näha selline:
MTA = 'Postfix' SMTPHOST = "localhost" SMTPPORT = 65025 ALLOW_SITE_ADMIN_COOKIES = Yes DEFAULT_URL_PATTERN = 'https://%s/mailman/' PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s' OWNERS_CAN_DELETE_THEIR_OWN_LISTS = Yes
Mailman räägib pordiga 65025 sel põhjusel, et selle pordi pealt viirusekontrolli ei tehta. Viirusekontrolli teostatakse siis, kui kirjad listi tulevad - seega pole neid samu kirju välja saates vaja topelt kontrollida.
Kui kirjad tulevad list.domeen.ee aadresile, siis antakse need postfixi poolt üle /usr/local/mailman/bin/postfix-to-mailman.py scriptile ( vt. postfixi master.cf ja transport faile )
See näeb välja selline:
#!/usr/local/bin/python # Configuration variables - Change these for your site if necessary. MailmanHome = "/usr/local/mailman"; # Mailman home directory. MailmanOwner = "postmaster@domeen.ee"; # Postmaster and abuse mail recipient. # End of configuration variables. # postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py) # # Interface mailman to a postfix with a mailman transport. Does not require # the creation of _any_ aliases to connect lists to your mail system. # # Dax Kelson, dkelson@gurulabs.com, Sept 2002. # coverted from qmail to postfix interface # Jan 2003: Fixes for Mailman 2.1 # Thanks to Simen E. Sandberg <senilix@gallerbyen.net> # Feb 2003: Change the suggested postfix transport to support VERP # Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br> # # This script was originally qmail-to-mailman.py by: # Bruce Perens, bruce@perens.com, March 1999. # This is free software under the GNU General Public License. # # This script is meant to be called from ~mailman/postfix-to-mailman.py. # It catches all mail to a virtual domain, eg "lists.example.com". # It looks at the recipient for each mail message and decides if the mail is # addressed to a valid list or not, and bounces the message with a helpful # suggestion if it's not addressed to a list. It decides if it is a posting, # a list command, or mail to the list administrator, by checking for the # -admin, -owner, and -request addresses. It will recognize a list as soon # as the list is created, there is no need to add _any_ aliases for any list. # It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root, # and owner, and routes those mails to MailmanOwner as defined in the # configuration variables, above. # # INSTALLATION: # # Install this file as ~mailman/postfix-to-mailman.py # # To configure a virtual domain to connect to mailman, edit Postfix thusly: # # /etc/postfix/main.cf: # relay_domains = ... lists.example.com # transport_maps = hash:/etc/postfix/transport # mailman_destination_recipient_limit = 1 # # /etc/postfix/transport: # lists.example.com mailman: # # /etc/postfix/master.cf # mailman unix - n n - - pipe # flags=FR user=mailman:mailman # argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user} # # # Replace list.example.com above with the name of the domain to be connected # to Mailman. Note that _all_ mail to that domain will go to Mailman, so you # don't want to put the name of your main domain here. Typically a virtual # domain lists.domain.com is used for Mailman, and domain.com for regular # email. # import sys, os, re def main(): os.nice(5) # Handle mailing lists at non-interactive priority. # delete this if you wish os.chdir(MailmanHome + "/lists") try: local = sys.argv[2] except: # This might happen if we're not using Postfix sys.stderr.write("LOCAL not set?\n") sys.exit(1) local = local.lower() local = re.sub("^mailman-","",local) names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner", "abuse") for i in names: if i == local: os.execv("/usr/sbin/sendmail", ("/usr/sbin/sendmail", MailmanOwner)) sys.exit(0) type = "post" types = (("-admin$", "admin"), ("-owner$", "owner"), ("-request$", "request"), ("-bounces$", "bounces"), ("-confirm$", "confirm"), ("-join$", "join"), ("-leave$", "leave"), ("-subscribe$", "subscribe"), ("-unsubscribe$", "unsubscribe")) for i in types: if re.search(i[0],local): type = i[1] local = re.sub(i[0],"",local) if os.path.exists(local): os.execv(MailmanHome + "/mail/mailman", (MailmanHome + "/mail/mailman", type, local)) else: bounce() sys.exit(75) def bounce(): bounce_message = """\ TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on http://%s/ That web page will help you subscribe or unsubscribe, and will give you directions on how to post to each mailing list.\n""" sys.stderr.write(bounce_message % (sys.argv[1])) sys.exit(1) try: sys.exit(main()) except SystemExit, argument: sys.exit(argument) except Exception, argument: info = sys.exc_info() trace = info[2] sys.stderr.write("%s %s\n" % (info[1], argument)) sys.stderr.write("Line %d\n" % (trace.tb_lineno)) sys.exit(75) # Soft failure, try again later. del trace, info